After a recent deployment of FSE (Forefront Server for Exchange) on an Exchange CMS, I sat back and just watched Forefront notifications come in. Initially they were delivered in my Outlook junk email folder, but I quickly figured it out and added the “domain” Forefront was sending from. This was all ok for me, a sysadmin, but then it hit me: Users whose attachments get blocked also get this notification and it probably ends up in the junk folder aswell. First I thought, ok, let’s push a list of accepted domains down to the clients, but then it dawned on me that there had to be a way to change the “from” address in Forefront. As an added bonus I wanted to find a way to change it on any Server Role (mailbox, hub, cas, edge). Thankfully the Forefront Server for Exchange User Guide provides the answer (goes to show RTFM sometimes goes a long way).

How to Change the From Address

This From Address is written down in a registry key of the Server where FSE is installed.

  1. Open the Registry Editor and browse to the corresponding key depending on the OS version you have:
    For 32-bit:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\ Notifications\FromAddress
    For 64-bit:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\FromAddress
  2. Change the default value to the sender name you would like. I chose a name that also identifies the server where the notification is sent from. You can use any alphanumeric characters, just keep in mind that illegal characters are replaced with “_”.
  3. Now Microsoft says to Restart/Recycle the Exchange and FSE services for this change to become active, please read the notes below regarding this:

Notes: Restarting/Recycling Services looks like quite a simple task however, I do have some hints on that:

  • If using a CMS (Clustered Mailbox Server) you just have to recycle FSE on the ACTIVE node, FSE is not actively running the PASSIVE node. Exchange services don’t need to be restarted for this change to take effect – (this is my personal observation)
  • Recycling FSE on servers running Microsoft Exchange Transport Service (Transport, Edge Roles) will also recycle the Microsoft Exchange Transport service (Transport Service has a dependency on FSE) – so plan for downtime.
  • There is a “bug” in Forefront: after the change and restarting services (not sure what is the cause, didn’t play around to find out) Forefront sends out 3 failed update notifications (1 per engine), for deprecated scan engines it has (AhnLab, Sophos, CAvet) even though none of those engines are enabled/configured to get updates. I spent almost 2 hours scouring the Internet for a reason why this happened. Best just to ignore it, save yourself some brain-cells.
  • If changing the registry key by hand via remote registry you will not see the wow6432Node because regedit already connected you to that key.

Disclaimer: As you know changing the registry is “bad juju” if you don’t know what you are doing you can break things, so handle these operations with care.

This is probably the first post in a series related to Forefront Security for Exchange, I hope they prove useful.